Hosting healthcare data

03 January 2017


In a global, digital world, the hosting of personal healthcare data is no longer confined to a few isolated stakeholders. Electronic medical records, connected medical devices, healthcare apps: these new tools are promoting the collection, storage and sharing of healthcare data between hospitals, doctors, researchers, laboratories, patients and service providers on an unprecedented scale. France has set out new rules for the hosting of personal healthcare data, in order to safeguard the rights and privacy of patients whilst at the same time taking full advantage of the extraordinary potential of Big Data. Taking a line between transparency and security, the French legislation has the potential to adapt to the future of eHealth.

Key figures

Between 2009 and May 2016, the Accreditation Committee received nearly 280 applications, 96 healthcare data hosting providers were accredited and nearly 100 accreditation decisions are currently pending.

Orange Healthcare healthcare data hosting services

Orange Healthcare has made data protection its priority.
With that in mind, Orange became the first telecommunications operator in France to become an accredited provider of hosting services for personal healthcare data, following a long and thorough screening process that covered a wide variety of criteria, from access to data, authority and control, to risk assessment.
As a trusted third party, Orange Healthcare offers its expertise in the hosting, storage and archiving of personal healthcare data to healthcare establishments. Its Flexible Computing Santé (opens in a new window)service uses Cloud Computing technology to enable healthcare establishments and professionals to store hosted data and access it remotely on demand. This solution is completely tailored to the establishments’ actual needs and can be adapted over time to changes in these needs, to guarantee performance and flexibility.

Remote consultation of medical records, transmission of examination results to colleagues in order to share diagnoses, daily monitoring of a patient’s heart rate, etc. The rise of telemedicine is just one of many examples illustrating the important role data will play in our healthcare system in years to come. This raw and sensitive information, with its implications for the privacy of individuals, has therefore been the focus of specific attention from the French legislature for some years now. The law of 26 January 2016 on the modernisation of the French healthcare system introduced significant changes to the legal framework for the hosting of healthcare data, extending its scope and replacing the accreditation procedure for hosting providers with a certification procedure.

Scope extended to cover any healthcare data controllers

The new law stipulates that: “Any person who hosts personal healthcare data collected within the framework of prevention, diagnosis, care and social or socio-medical follow-up activities, on behalf of natural or legal persons initiating the generation or collection of such data or on behalf of the patient themselves, must be accredited for that purpose.” The 2016 Act therefore introduces amendments to Article L. 1111-8 of the Code de la santé publique (the French Public Health Code), which required “healthcare establishments” and “healthcare professionals” to use the services of an accredited hosting service provider, by extending this obligation to “any legal or natural person who processes or collects personal healthcare data”. This clarification brings into scope any stakeholders who are likely to process and outsource the hosting of personal healthcare data, from hospitals to insurance companies. “The 2002 legislation could be interpreted restrictively, the notion of ‘healthcare establishment’ was not sufficiently clear to ensure that patients’ data would be protected regardless of where they were being treated”, explains Kahina Haddad, a healthcare lawyer and project lead for the accreditation procedure at ASIP Santé1. Furthermore, the 2016 Act applies to a broader category of data, and includes data collected within the framework of “social or socio-medical follow-up”, clearing up an ambiguity regarding the data that is covered. It is not only a matter of protecting the data collected by doctors, healthcare professionals, hospitals and clinics, but it also includes data processed by residential homes for the elderly (EHPADs), occupational health services or even sports’ associations.

A root-and-branch review of the accreditation process

It appears that the 2016 Act intends to reconsider as pragmatically as possible the shortcomings of the current process, which accredits healthcare data hosting providers for three years. “This system was set up in 2002 under the Kouchner Act, with the aim of safeguarding the security of healthcare databases. A decree 2 in 2006 introduced a procedure which proved to be too long-winded and too much of an administrative burden”, Ms Haddad points out. The reason for this is that the procedure candidates for accreditation were required to complete involved numerous stakeholders: the CNIL (the French data protection agency), an accreditation committee comprising representatives from IGAS3, CNOM4, UNPS5, patients’ associations, lawyers and IT experts, etc. These consultative bodies were responsible for issuing opinions which were then submitted to the French Ministry of Health, requiring processing periods of 6-8 months, which was not compatible with the companies’ business plans. Quite apart from the time-consuming nature of this process, it also had the disadvantage of being expensive for the State, responsible for the accreditation process, and of not providing proper guidance to candidates on how to prepare their application. “The 2006 decree set out the objectives to be met by the candidate hosting provider, without giving details of the technical resources required to achieve them”, says Ms Haddad. The new certification procedure addresses this lack of clarity, as explained by Pierre Desmarais, a healthcare lawyer specialising in eHealth and innovation: “There is currently no transparency at all, and candidates are not aware of the criteria against which they will be judged. We are moving over to a more transparent procedure with a genuine benchmark.”

A certification benchmark based on international standards

The Act of 26 January 2016 gives the Government the power to legislate by means of executive orders to replace the current accreditation procedure with a certification procedure, which will be conducted by private-sector bodies rather than by the State. “Certification will mean the procedure can be automated, costs reduced and the system made more transparent and predictable for companies”, Kahina Haddad explains. In order to do this, the companies involved and the DSISS have already worked on a common benchmark for certification, which was put out for public consultation in October 2016. “The key advantage for the companies is that the certification will be based on international standards, on recognised industry benchmarks, such as ISO 27001. This will enable hosting service providers to assess their compliance with the benchmark earlier on in the process, to select the specific area in which they want to be certified and to use the certification for purposes other than the hosting of healthcare data”. This means time is saved and the hosting service providers have a better understanding of the procedure, with consistent security requirements, but it also means that the service providers are more closely monitored, as certification carries with it an on-site audit carried out by the certifying body. Certification, therefore, addresses the need to safeguard the security of healthcare databases and responds to the spectacular growth in the computerisation of healthcare data: “The volume of applications from candidate healthcare data hosting providers has gone through the roof”, states Kahina Haddad. “We need an automated system to respond to this growing market.”

1ASIP Santé: French digital healthcare agency. 2Decree No 2006-6 of 4 January 2006 3IGAS: Inspection générale des affaires sociales, the French inspectorate-general for social affairs. 4CNOM: Conseil National de l’Ordre des Médecins, the French national medical council. 5UNPS: Union Nationale des Professionnels de Santé, the French national union of healthcare professionals.